The Israel-Iran conflict that began with Israeli attacks on Iranian nuclear and military targets on June 13 has sparked a wider cyber conflict in the region, including the launch of new malware campaigns.
Cyble threat intelligence researchers documented cyberattacks by 74 hacktivist groups in the Middle East region between June 13 and 17. The vast majority of the hacktivist groups – more than 90% – are considered pro-Iran. Most of the cyberattacks have targeted Israeli organizations. Iran has been a target in several of the cyberattacks, and the regional cyber conflict has also spilled over into Egypt, Jordan, the UAE, Pakistan and Saudi Arabia.
Cyberattacks launched by hacktivist groups in the region have included DDoS attacks, website defacements, unauthorized access, and data breaches – and the launch of ransomware/wiper and banking malware campaigns. In the midst of the increased cyber activity, Iran has apparently begun restricting internet access in an attempt to limit Israeli cyber operations.
Middle East Hacktivism Includes Information Operations
After the outbreak of hostilities on June 13, Cyble detected a significant escalation in hacktivist activity targeting Israel and several regional states. The operations were driven by a broad coalition of ideologically motivated actors, many of whom identify with pro-Palestinian, pro-Iranian, or anti-Western narratives, Cyble said in an advisory to threat intelligence clients this week.
Israel was the principal target, with dozens of cyberattacks affecting government, defense, media, telecom, finance, education, and emergency services. The majority of incidents involved distributed denial-of-service (DDoS) attacks, but there were also cases of unauthorized access, defacement, data breaches, and ransomware deployment.
Hashtags used in the cyber campaigns have included:
- #SalomZionist
- #OpIsrael
- #OneUmmah
- #FreePalestine
- #SupportIran
- #HackForHumanity
- #OpJordan
The full list of hacktivist groups detected by Cyble is detailed in the graphic below:
In addition to publicizing their own DDoS attacks and defacement operations, hacktivist groups have been systematically using their Telegram channels to amplify the broader cyber and geopolitical narrative. This includes reposting claims of attacks by affiliated or ideologically aligned collectives, thus reinforcing “a sense of decentralized coordination,” Cyble said.
The groups’ content streams frequently include pro-Iranian and pro-Palestinian narratives, often framed in “emotive and polarizing terms,” the researchers said. A notable trend is the circulation of video footage depicting missile strikes and drone operations, alongside graphic images of casualties from the Iranian side.
“These materials serve both as mobilization tools and as psychological warfare, blurring the line between cyber activity and information operations,” the Cyble advisory said. “The groups appear to position themselves not only as digital combatants but also as part of a broader resistance media ecosystem.”
Hacktivist Attacks: DDoS, Breaches, Malware Campaigns
Among the cyberattack claims documented by Cyble were five ransomware/extortion attacks claimed by Handala Group against Israeli organizations, including media, telecom, construction, education, and chemical/energy targets. The group provided data samples in two of the five claimed attacks.
Other notable hacktivist attack claims documented by Cyble in recent days included 34 DDoS attacks, five defacements, two data breaches, two cases of unauthorized access, a claim of a ransomware attack against an Israeli government target, a major attack on Iranian cryptocurrency exchange Nobitex, and four incidents involving data or credential leaks.
Among the hacktivist groups active in recent days and their targets were:
| Hacktivist group | Target |
| Anonymous Guys | Israel |
| Arabian Ghosts | Jordan |
| Handala Hack | Israel |
| Server Killers | Israel |
| RipperSec | Israel |
| Dienet | Israel |
| LulzSec Black | Israel |
| Cyber Ghost Team | Israel |
| Keymous+ | Egypt |
| GhostSec | Israel |
| Dark Storm Team | Israel |
| Yemen Cyber Army | Saudi Arabia |
| Anonymous Syria Hackers | Iran |
| Red Eagle | Pakistan |
| Mysterios Team | Egypt |
| Tunisian Maskers | Egypt |
| Unit Nine | Egypt |
| Islamic Hacker Army | Iran |
| Cyber Islamic Resistance | Israel |
| Nation of Saviors | Israel |
| Unknown Cybers Team | UAE |
| Mr Hamza | Israel |
| EvilByte | Israel |
| Digital Ghost | Israel |
| Cyber Fattah Team | Israel |
| Predatory Sparrow | Iran |
On June 16, a ransomware or wiper executable identified as “encryption.exe” was observed in the wild and attributed to a previously unreported threat actor known as Anon-g Fox. Notably, the malware checks the system’s time zone as Israel Standard Time (IST) and language as Hebrew before further executing. If those conditions are not present, it prevents execution with the error statement ‘This program can only run in Isreal’, thus suggesting a geopolitical motive, potentially linked to the ongoing Iran-Israel cyber conflict.
Cyble Research and Intelligence Labs researchers also uncovered a campaign involving the IRATA Android malware targeting banking applications in Iran. The malware has been observed impersonating government entities, including the Judicial System of the Islamic Republic of Iran and the Ministry of Economic Affairs and Finance. It targets over 50 banking and cryptocurrency applications, abusing the Accessibility service to identify the targeted bank, steal bank account numbers and balances, and harvest card data.
The malware is capable of remotely controlling the infected device and executing various actions such as hiding its icon, collecting SMS messages and contacts, capturing screenshots, and retrieving a list of installed applications. These capabilities enable the malware to gather comprehensive information, which can be used to carry out fraudulent transactions from the victim’s account, potentially leading to significant financial loss.
Hacktivists and Conflict
Hacktivists often see conflict as an opportunity to promote their agenda, to retaliate, and to amplify impressions of fear and chaos, as happened in the Indian state of Jammu and Kashmir last month. And as the Iran-Israel conflict shows, allied nations on either side of a conflict can find themselves targeted by hacktivist attacks. Even before hostilities between Israel and Iran broke out last week, the U.S. was offering a reward for information on CyberAv3ngers/Mr. Soul – a threat actor allegedly aligned with Iran’s IRGC Cyber-Electronic Command – for alleged cyberattacks against critical infrastructure in the U.S. and elsewhere.
Organizations that could find themselves a target of hacktivism are advised to invest in DDoS protections and to take steps to ensure against data breaches, website defacements – and increasingly, ransomware attacks.
